---
title: "Git Over SSH"
date: 2020-07-26T20:10:21-05:00
draft: true
tags:
  - git
  - ssh
  - shell
  - login
  - security
  - howto
---

SSH protocol is intended to authenticate and connect to remote servers and services. If you have an account on a remote git service ssh is very useful if you want to avoid typing a username and password on each `git push`, git `git pull` or `git fetch`.

## Check for existing ssh keys

First you must check your system to see if you have any ssh key available, if so you can use it to connect with your remote service. You must type this on a terminal (for unix systems).

```bash
# This list your ~/.ssh directory to see if SSH keys exist.
$ ls -al ~/.ssh
```

If you already have ssh keys you should see a file listing with similar extensions: 

```bash
id_rsa.pub
id_ecdsa.pub
id_ed25519.pub
```
If you want to use them to authenticate to a git service read [add SSH key to the ssh-agent](#add-ssh-key-to-the-ssh-agent). If you don't want to use those to authenticate, you may want to [generate a new SSH key](#generate-a-new-ssh-key).

If the previous command fails, either by non existing directory or there are no files inside it you need to [generate a new SSH key](#generate-a-new-ssh-key).

## Generate a new SSH key

To generate a new ssh key the general format for the command is:

```bash
$ ssh-keygen -t <dsa | ecdsa | ecdsa-sk | ed25519 | ed25529-sk | rsa> -b <bits> -C <comment>
```

According to the [OpenSSH manual](https://www.openssh.com/manual.html), you must provide a type of key to create after the `-t` flag. The possible values are:

* [dsa]: Digital Signature Algorithm
* [ecdsa]: Elliptic Curve Digital Signature Algorithm
* [ecdsa-sk]: Elliptic Curve Digital Signature Algorithm with support for FIDO/U2F hardware authenticators.
* [ed25519]: Edwards-curve Digital Signature Algorithm
* [ed25519-sk]: Edwards-curve Digital Signature Algorithm with support for FIDO/U2F hardware authenticators.
* [rsa]: Rivest–Shamir–Adleman Algorithm

With the `-b` flag you specify the number of bits in the key to create. For RSA, the minimmum size is 1024 and by default is 3072 ibts. For ECDSA keys `-b` specifies the key length. You can select from three elliptic curve sizes: 256, 384 or 521 bits. This flag is ignored for ECDSA-SK, Ed25519 and Ed25519-SK because they have fixed length.

The `-C` flag is to provide a comment, usualy you provide your email address or other comment that serves as an asociation comment.

### Example:

Open a terminal and type:

```bash
$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
```
This will output:
```bash
> Generating public/private rsa key pair.
```

Enter a file where you want to save the key, usually inside the `~/.ssh` directory.

```bash
> Enter a file in which to save the key (/home/user/.ssh/id_rsa): [press enter]
```

Enter a passphrase. This will be asked when you add the key to the agent.

```bash
> Enter passphrase (empty for no passphrase): [type a passphrasse]
> Enter same passphrase again: [type a passphrase]
```

Generally you must follow the instructions when you type the command, with different options the instructions may vary.

## Add SSH key to the SSH agent

Once you have your SSH key, you need to add it to the `ssh-agent`.

Start the `ssh-agent` in the background:

```bash
$ eval "$(ssh-agent -s)"
```

This will output:
```bash
> Agent pid 23872
```

Add the SSH private key to the `ssh-agent`. If you typed a different name for the file you must provide that.
  
```bash
$ ssh-add ~/.ssh/id_rsa
```

Type the passphrase you typed when you created the key.

```bash
Enter passphrase for /home/user/.ssh/id_rsa:
```

This will print:
```bash
Identity added: /home/user/.ssh/id_rsa (your_email@example.com)
```

You can confirm your addition with:
```bash
$ ssh-add -l
```

This will print:
```bash
4096 SHA256:<some rsa signature> your_email@example.com (RSA)
```

You always can view the keys added with `ssh-add -l`. Be sure the `ssh-agent` is running otherwise you won't be able to authenticate to your service.

## Test SSH connection

If you want to test if you are able to authenticate try this command:

```bash
$ ssh -T git@git.service.com
```

Where the `git@git.service.com` must be the service you want to authenticate, this is just an example.

You should recieve a welcome message without shell access. This proves you can now work with ssh authentication enabled.

## Add the SSH key to your git service account

Git hosting services often offer a web interface dashboard where you can add your public keys that will authenticate your activities on repositories.

First you need to copy your SSH public key to your system clipboard using [xclip](https://linux.die.net/man/1/xclip) or with a text editor.

```bash
$ xclip -sel clip < ~/.ssh/id_rsa.pub
```

Once you have the public key in your clipboard you must access your service web interface and paste it on the dashboard. You may search in the settings page as SSH and GPG keys, click on add new ssh key or add ssh key button, add a description and paste the key from your clipboard to the key text field on your settings dashboard.

## SSH key passphrases

A passphrase is a method to add an extra layer of security to your keys. To add or change a passphrase for your ssh key you can use the `ssh-agent` to securely save your passphrase and avoid typing it each time you want to authenticate.

### Add or change passphrase

To change a passphrase for an existing private key without regenerating the key pair, type:
```bash
$ ssh-keygen -p
```

This command will prompt you with the following:
```bash
# Start the ssh key creation process
> Enter file in which the key is (/home/user/.ssh/id_rsa): [hit enter or specify the file name]
> Key has comment '/home/user/.ssh/id_rsa'
> Enter new passphrase (empty for no passphrase): [Type a new passphrase]
> Enter same passphrase again: [Type the passphrase again]
> Your identification has been saved with the new passphrase.
```

If your key already had a passphrase you will need to enter it in order to change it.

You can visit [using ssh-agent], on how to configure `ssh-agent` to passwordless logins.

## References:

+ [dsa](https://www.ietf.org/rfc/rfc3279.txt)
+ [ecdsa](https://tools.ietf.org/html/rfc6605)
+ [ecdsa-sk](https://www.openssh.com/txt/release-8.2)
+ [ed25519](https://tools.ietf.org/html/rfc8032)
+ [ed25519-sk](https://www.openssh.com/txt/release-8.2)
+ [rsa](https://tools.ietf.org/html/rfc8017)
+ [using ssh-agent](https://www.ssh.com/academy/ssh/agent)
